CVE-2022-2312

Name of the Vulnerable Software and Affected Versions Student Result or Employee Database WordPress plugin versions prior to 1.7.5

Description The issue allows attackers to make logged-in users with a role as low as contributor to add, edit, and delete students via CSRF attacks due to the lack of CSRF in its AJAX actions. Furthermore, the lack of sanitization and escaping could also lead to Stored Cross-Site scripting.

Recommendations For versions prior to 1.7.5, update to version 1.7.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX actions to minimize the risk of exploitation. Additionally, restrict the role of contributors to prevent them from adding, editing, or deleting students until the issue is resolved.